search

Trigus42 / alpine-qbittorrentvpn

Multiarch docker image with the latest qBittorrent-nox client (WEB UI) and WireGuard/OpenVPN tunnel
GNU General Public License v3.0
73 stars 14 forks source link

[ERROR] Trying to run in unprivileged mode but net.ipv4.conf.all.src_valid_mark = 0 #54

Closed shirespours closed 4 months ago

shirespours commented 8 months ago

I am unable to boot the container. Whenever I do I get this error and then it just sits there.

[cont-init.d] 10-environment.sh: exited 0. [cont-init.d] 20-vpn.sh: executing... 2024-01-11 07:23:55 [INFO] Choosen VPN config: 'wg0.conf' dos2unix: converting file /config/wireguard/wg0.conf to Unix format... 2024-01-11 07:23:55 [INFO] VPN remote line defined as 'HOSTNAME' 2024-01-11 07:23:55 [INFO] VPN_REMOTE defined as 'HOSTNAME' 2024-01-11 07:23:55 [INFO] VPN_PORT defined as '443' 2024-01-11 07:23:55 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp. 2024-01-11 07:23:55 [INFO] VPN_DEVICE_TYPE set as 'wg0' 2024-01-11 07:23:55 [ERROR] Trying to run in unprivileged mode but net.ipv4.conf.all.src_valid_mark = 0

Tried erasing everything and starting from scratch and I still get the same error.

Trigus42 commented 8 months ago

Do you have net.ipv4.conf.all.src_valid_mark set to 1 in the compose or docker run command? Please take a look at this example.

shirespours commented 8 months ago

Well that kind of worked. Now I get this [cont-init.d] 20-vpn.sh: exited 0. [cont-init.d] 30-network.sh: executing... Error: syntax error, unexpected '}' add element inet firewall vpn_ipv6 { } ^ [cont-init.d] 30-network.sh: exited 0. [cont-init.d] 40-qbittorrent-setup.sh: executing...

Trigus42 commented 8 months ago

Can you please pull the new image, set the environment variable DEBUG=yes and post the container logs?

shirespours commented 8 months ago

Sorry, got really busy, here it is:


[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-environment.sh: executing... 
2024-01-15 18:58:24 [WARNING] LAN_NETWORK is deprecated, might not work in future versions and is no longer needed. Obmit or use WEBUI_ALLOWED_NETWORKS to restrict access instead
2024-01-15 18:58:24 [INFO] HEALTH_CHECK_INTERVAL is not set. Using default interval of 5s
2024-01-15 18:58:24 [INFO] HEALTH_CHECK_TIMEOUT is not set. Using default interval of 5s
2024-01-15 18:58:24 [DEBUG] Docker interface defined as eth0
2024-01-15 18:58:24 [DEBUG] Docker IPv4 address defined as CONTAINERIP
2024-01-15 18:58:24 [INFO] Docker IPv4 network defined as CONTAINERSUBNET
2024-01-15 18:58:24 [DEBUG] Default IPv4 gateway defined as CONTAINERGATEWAY
2024-01-15 18:58:24 [INFO] PUID defined as 1001
2024-01-15 18:58:24 [INFO] PGID defined as 1002
2024-01-15 18:58:24 [INFO] An user with PUID 1001 already exists in /etc/passwd, nothing to do.
2024-01-15 18:58:24 [INFO] VPN_ENABLED defined as 'yes'
2024-01-15 18:58:24 [INFO] VPN_TYPE defined as 'wireguard'
2024-01-15 18:58:24 [INFO] NAME_SERVERS defined as '8.8.8.8,1.1.1.1'
2024-01-15 18:58:24 [INFO] Adding 8.8.8.8 to resolv.conf
2024-01-15 18:58:24 [INFO] Adding 1.1.1.1 to resolv.conf
[cont-init.d] 10-environment.sh: exited 0.
[cont-init.d] 20-vpn.sh: executing... 
2024-01-15 18:58:24 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2024-01-15 18:58:24 [INFO] VPN remote line defined as 'VPNHOSTNAME:443'
2024-01-15 18:58:24 [INFO] VPN_REMOTE defined as 'VPNHOSTNAME'
2024-01-15 18:58:24 [INFO] VPN_PORT defined as '443'
2024-01-15 18:58:24 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2024-01-15 18:58:24 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2024-01-15 18:58:24 [DEBUG] Route: 8.8.8.8 via CONTAINERGATEWAY dev eth0 src CONTAINERIP uid 0 
2024-01-15 18:58:24 [DEBUG] Ping to 8.8.8.8 succeeded
2024-01-15 18:58:24 [DEBUG] VPNHOSTNAME resolved to VPNIP
2024-01-15 18:58:24 [DEBUG] Ping to VPNIP via eth0 succeeded
2024-01-15 18:58:24 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add INTERFACEIP/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
--------------------
2024-01-15 18:58:25 [DEBUG] Route: 8.8.8.8 dev wg0 table 51820 src INTERFACEIP uid 0 
2024-01-15 18:58:25 [DEBUG] Ping to 8.8.8.8 succeeded
2024-01-15 18:58:25 [DEBUG] Ping to VPNIP via eth0 succeeded
[cont-init.d] 20-vpn.sh: exited 0.
[cont-init.d] 30-network.sh: executing... 
2024-01-15 18:58:25 [DEBUG] VPN_REMOTE_IPv4_ADDRESSES defined as (VPNIP)
2024-01-15 18:58:25 [DEBUG] VPN_REMOTE_IPv6_ADDRESSES defined as ()
Error: syntax error, unexpected '}'
add element inet firewall vpn_ipv6 {  }
                                      ^
2024-01-15 18:58:25 [DEBUG] 'main' routing table defined as follows...
--------------------
default via CONTAINERGATEWAY dev eth0 
CONTAINERSUBNET dev eth0 proto kernel scope link src CONTAINERIP 
--------------------
2024-01-15 18:58:25 [DEBUG] ip rules defined as follows...
--------------------
0:  from all lookup local
32762:  from all fwmark 0x1f90 lookup main suppress_prefixlength 1
32763:  from all fwmark 0x1f90 lookup webui
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
--------------------
2024-01-15 18:58:25 [DEBUG] nft ruleset defined as follows...
--------------------
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
    chain DOCKER_OUTPUT {
        ip daddr 127.0.0.11 tcp dport 53 counter packets 0 bytes 0 xt target "DNAT"
        ip daddr 127.0.0.11 udp dport 53 counter packets 2 bytes 171 xt target "DNAT"
    }

    chain OUTPUT {
        type nat hook output priority dstnat; policy accept;
        ip daddr 127.0.0.11 counter packets 2 bytes 171 jump DOCKER_OUTPUT
    }

    chain DOCKER_POSTROUTING {
        ip saddr 127.0.0.11 tcp sport 38225 counter packets 0 bytes 0 xt target "SNAT"
        ip saddr 127.0.0.11 udp sport 50133 counter packets 0 bytes 0 xt target "SNAT"
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        ip daddr 127.0.0.11 counter packets 2 bytes 171 jump DOCKER_POSTROUTING
    }
}
table ip wg-quick-wg0 {
    chain preraw {
        type filter hook prerouting priority raw; policy accept;
        iifname != "wg0" ip daddr INTERFACEIP fib saddr type != local drop
    }

    chain premangle {
        type filter hook prerouting priority mangle; policy accept;
        meta l4proto udp meta mark set ct mark
    }

    chain postmangle {
        type filter hook postrouting priority mangle; policy accept;
        meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
    }
}
table inet qbt-mark {
    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;
        tcp dport 8080 ct state new ct mark set 0x00002382 counter packets 0 bytes 0 comment "Track new WebUI connections"
    }

    chain output {
        type route hook output priority mangle; policy accept;
        ct mark 0x00002382 meta mark set 0x00001f90 counter packets 0 bytes 0 comment "Add mark to outgoing packets belonging to a WebUI connection"
    }
}
table inet firewall {
    set vpn_ipv4 {
        type ipv4_addr
        elements = { VPNIP }
    }

    set vpn_ipv6 {
        type ipv6_addr
    }

    set webui_allowed_networks_ipv4 {
        type ipv4_addr
        flags interval
        elements = { CONTAINERSUBNET, 192.168.1.0/24,
                 192.168.2.1 }
    }

    set webui_allowed_networks_ipv6 {
        type ipv6_addr
        flags interval
    }

    chain input {
        type filter hook input priority filter; policy drop;
        iifname "wg0" accept comment "Accept input from VPN tunnel"
        iifname "eth0" udp sport 443 ip saddr @vpn_ipv4 accept comment "Accept input from VPN server \(IPv4\)"
        iifname "eth0" udp sport 443 ip6 saddr @vpn_ipv6 accept comment "Accept input from VPN server \(IPv6\)"
        iifname "lo" accept comment "Accept input from internal loopback"
        tcp dport 8080 ip saddr @webui_allowed_networks_ipv4 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI \(IPv4\)"
        tcp dport 8080 ip6 saddr @webui_allowed_networks_ipv6 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI \(IPv6\)"
    }

    chain output {
        type filter hook postrouting priority filter; policy drop;
        oifname "wg0" accept comment "Accept output to VPN tunnel"
        oifname "eth0" udp dport 443 ip daddr @vpn_ipv4 accept comment "Accept output to VPN server \(IPv4\)"
        oifname "eth0" udp dport 443 ip6 daddr @vpn_ipv6 accept comment "Accept output to VPN server \(IPv6\)"
        tcp sport 8080 meta mark 0x00001f90 counter packets 0 bytes 0 accept comment "Accept outgoing packets belonging to a WebUI connection"
        iifname "lo" accept comment "Accept output to internal loopback"
    }
}
--------------------
2024-01-15 18:58:25 [DEBUG] Route: 8.8.8.8 dev wg0 table 51820 src INTERFACEIP uid 0 
2024-01-15 18:58:25 [DEBUG] Ping to 8.8.8.8 succeeded
2024-01-15 18:58:26 [DEBUG] Ping to VPNIP via eth0 failed
[cont-init.d] 30-network.sh: exited 0.
[cont-init.d] 40-qbittorrent-setup.sh: executing... 
2024-01-15 18:58:26 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2024-01-15 18:58:26 [WARNING] If you manage the SSL config yourself, you can ignore this.
2024-01-15 18:58:26 [INFO] UMASK defined as '002'
[cont-init.d] 40-qbittorrent-setup.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
2024-01-15 18:58:26 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
[services.d] done.
2024-01-15 18:58:26 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 1 second...
2024-01-15 18:58:28 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2024-01-15 18:58:28 [INFO] qBittorrent started with PID 546
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.```
Trigus42 commented 8 months ago

Should be fixed in https://github.com/Trigus42/alpine-qbittorrentvpn/commit/415793ce915ee7058b9cbea2d48b47e504638db7

shirespours commented 8 months ago

Hmmm.. Not getting that error anymore however now I'm getting another weird thing. Appears to be no error, it just runs for about 3-5 minutes, then says network appears to be down and reboots...


[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-environment.sh: executing... 
2024-01-16 22:03:00 [WARNING] LAN_NETWORK is deprecated, might not work in future versions and is no longer needed. Obmit or use WEBUI_ALLOWED_NETWORKS to restrict access instead
2024-01-16 22:03:00 [INFO] HEALTH_CHECK_INTERVAL is not set. Using default interval of 5s
2024-01-16 22:03:00 [INFO] HEALTH_CHECK_TIMEOUT is not set. Using default interval of 5s
2024-01-16 22:03:00 [DEBUG] Docker interface defined as eth0
2024-01-16 22:03:00 [DEBUG] Docker IPv4 address defined as CONTAINERIP
2024-01-16 22:03:00 [INFO] Docker IPv4 network defined as CONTAINERSUBNET/24
2024-01-16 22:03:00 [DEBUG] Default IPv4 gateway defined as CONTAINERGATEWAY
2024-01-16 22:03:00 [INFO] PUID defined as 1001
2024-01-16 22:03:00 [INFO] PGID defined as 1002
2024-01-16 22:03:00 [INFO] An user with PUID 1001 already exists in /etc/passwd, nothing to do.
2024-01-16 22:03:00 [INFO] VPN_ENABLED defined as 'yes'
2024-01-16 22:03:00 [INFO] VPN_TYPE defined as 'wireguard'
2024-01-16 22:03:00 [INFO] NAME_SERVERS defined as '1.1.1.1,8.8.8.8'
2024-01-16 22:03:00 [INFO] Adding 1.1.1.1 to resolv.conf
2024-01-16 22:03:00 [INFO] Adding 8.8.8.8 to resolv.conf
[cont-init.d] 10-environment.sh: exited 0.
[cont-init.d] 20-vpn.sh: executing... 
2024-01-16 22:03:00 [INFO] Choosen VPN config: 'wg0.conf'
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2024-01-16 22:03:00 [INFO] VPN remote line defined as 'VPNHOSTNAME:443'
2024-01-16 22:03:00 [INFO] VPN_REMOTE defined as 'VPNHOSTNAME'
2024-01-16 22:03:00 [INFO] VPN_PORT defined as '443'
2024-01-16 22:03:00 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2024-01-16 22:03:00 [INFO] VPN_DEVICE_TYPE set as 'wg0'
2024-01-16 22:03:00 [DEBUG] Route: 1.1.1.1 via CONTAINERGATEWAY dev eth0 src CONTAINERIP uid 0 
2024-01-16 22:03:00 [DEBUG] Ping to 1.1.1.1 succeeded
2024-01-16 22:03:00 [DEBUG] VPNHOSTNAME resolved to VPNIP
2024-01-16 22:03:00 [DEBUG] Ping to VPNIP via eth0 succeeded
2024-01-16 22:03:00 [INFO] Starting WireGuard...
--------------------
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add VPNINTERFACEIP/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] nft -f /dev/fd/63
--------------------
2024-01-16 22:03:00 [DEBUG] Route: 1.1.1.1 dev wg0 table 51820 src VPNINTERFACEIP uid 0 
2024-01-16 22:03:00 [DEBUG] Ping to 1.1.1.1 succeeded
2024-01-16 22:03:01 [DEBUG] VPNHOSTNAME resolved to VPNIP
2024-01-16 22:03:01 [DEBUG] Ping to VPNIP via eth0 succeeded
[cont-init.d] 20-vpn.sh: exited 0.
[cont-init.d] 30-network.sh: executing... 
2024-01-16 22:03:01 [DEBUG] VPN_REMOTE_IPv4_ADDRESSES defined as (VPNIP)
2024-01-16 22:03:01 [DEBUG] VPN_REMOTE_IPv6_ADDRESSES defined as ()
2024-01-16 22:03:01 [DEBUG] 'main' routing table defined as follows...
--------------------
default via CONTAINERGATEWAY dev eth0 
CONTAINERSUBNET/24 dev eth0 proto kernel scope link src CONTAINERIP 
--------------------
2024-01-16 22:03:01 [DEBUG] ip rules defined as follows...
--------------------
0:  from all lookup local
32762:  from all fwmark 0x1f90 lookup main suppress_prefixlength 1
32763:  from all fwmark 0x1f90 lookup webui
32764:  from all lookup main suppress_prefixlength 0
32765:  not from all fwmark 0xca6c lookup 51820
32766:  from all lookup main
32767:  from all lookup default
--------------------
2024-01-16 22:03:01 [DEBUG] nft ruleset defined as follows...
--------------------
table ip nat {
    chain DOCKER_OUTPUT {
        ip daddr 127.0.0.11 tcp dport 53 counter packets 0 bytes 0 xt target "DNAT"
# Warning: table ip nat is managed by iptables-nft, do not touch!
        ip daddr 127.0.0.11 udp dport 53 counter packets 3 bytes 268 xt target "DNAT"
    }

    chain OUTPUT {
        type nat hook output priority dstnat; policy accept;
        ip daddr 127.0.0.11 counter packets 3 bytes 268 jump DOCKER_OUTPUT
    }

    chain DOCKER_POSTROUTING {
        ip saddr 127.0.0.11 tcp sport 37719 counter packets 0 bytes 0 xt target "SNAT"
        ip saddr 127.0.0.11 udp sport 50581 counter packets 0 bytes 0 xt target "SNAT"
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        ip daddr 127.0.0.11 counter packets 3 bytes 268 jump DOCKER_POSTROUTING
    }
}
table ip wg-quick-wg0 {
    chain preraw {
        type filter hook prerouting priority raw; policy accept;
        iifname != "wg0" ip daddr VPNINTERFACEIP fib saddr type != local drop
    }

    chain premangle {
        type filter hook prerouting priority mangle; policy accept;
        meta l4proto udp meta mark set ct mark
    }

    chain postmangle {
        type filter hook postrouting priority mangle; policy accept;
        meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
    }
}
table inet qbt-mark {
    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;
        tcp dport 8080 ct state new ct mark set 0x00002382 counter packets 0 bytes 0 comment "Track new WebUI connections"
    }

    chain output {
        type route hook output priority mangle; policy accept;
        ct mark 0x00002382 meta mark set 0x00001f90 counter packets 0 bytes 0 comment "Add mark to outgoing packets belonging to a WebUI connection"
    }
}
table inet firewall {
    set vpn_ipv4 {
        type ipv4_addr
        elements = { VPNIP }
    }

    set vpn_ipv6 {
        type ipv6_addr
    }

    set webui_allowed_networks_ipv4 {
        type ipv4_addr
        flags interval
        elements = { CONTAINERSUBNET/24, 192.168.1.0/24,
                 192.168.2.1 }
    }

    set webui_allowed_networks_ipv6 {
        type ipv6_addr
        flags interval
    }

    chain input {
        type filter hook input priority filter; policy drop;
        iifname "wg0" accept comment "Accept input from VPN tunnel"
        iifname "eth0" udp sport 443 ip saddr @vpn_ipv4 accept comment "Accept input from VPN server \(IPv4\)"
        iifname "eth0" udp sport 443 ip6 saddr @vpn_ipv6 accept comment "Accept input from VPN server \(IPv6\)"
        iifname "lo" accept comment "Accept input from internal loopback"
        tcp dport 8080 ip saddr @webui_allowed_networks_ipv4 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI \(IPv4\)"
        tcp dport 8080 ip6 saddr @webui_allowed_networks_ipv6 counter packets 0 bytes 0 accept comment "Accept input to the qBt WebUI \(IPv6\)"
    }

    chain output {
        type filter hook postrouting priority filter; policy drop;
        oifname "wg0" accept comment "Accept output to VPN tunnel"
        oifname "eth0" udp dport 443 ip daddr @vpn_ipv4 accept comment "Accept output to VPN server \(IPv4\)"
        oifname "eth0" udp dport 443 ip6 daddr @vpn_ipv6 accept comment "Accept output to VPN server \(IPv6\)"
        tcp sport 8080 meta mark 0x00001f90 counter packets 0 bytes 0 accept comment "Accept outgoing packets belonging to a WebUI connection"
        iifname "lo" accept comment "Accept output to internal loopback"
    }
}
--------------------
2024-01-16 22:03:01 [DEBUG] Route: 1.1.1.1 dev wg0 table 51820 src VPNINTERFACEIP uid 0 
2024-01-16 22:03:01 [DEBUG] Ping to 1.1.1.1 succeeded
2024-01-16 22:03:02 [DEBUG] Ping to VPNIP via eth0 failed
[cont-init.d] 30-network.sh: exited 0.
[cont-init.d] 40-qbittorrent-setup.sh: executing... 
2024-01-16 22:03:02 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
2024-01-16 22:03:02 [WARNING] If you manage the SSL config yourself, you can ignore this.
2024-01-16 22:03:02 [INFO] UMASK defined as '002'
[cont-init.d] 40-qbittorrent-setup.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
2024-01-16 22:03:02 [INFO] Logging to /config/qBittorrent/data/logs/qbittorrent.log.
2024-01-16 22:03:02 [INFO] Trying to ping 1.1.1.1 and 8.8.8.8 over the docker interface for 1 second...
[services.d] done.
2024-01-16 22:03:04 [INFO] Success: Could not connect. This means the firewall is most likely working properly.
2024-01-16 22:03:04 [INFO] qBittorrent started with PID 553
2024-01-16 22:07:15 [NOTICE] Network seems to be down. Retrying..
2024-01-16 22:07:15 [DEBUG] Last failed ping:
--------------------
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.

--- 1.1.1.1 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
--------------------
2024-01-16 22:07:15 [ERROR] Network is down. Exiting..
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.```
Trigus42 commented 8 months ago

Maybe your connection or your VPN is unstable? Please try increasing HEALTH_CHECK_TIMEOUT

yacob841 commented 8 months ago

I’ll try that, I didn’t have this issue with the now archived DyonR version but I’ll try increasing health check

yacob841 commented 8 months ago

Oops, might know why. I kept the DyonRs health check amount instead of interval and timeout. Let’s see if that works